Fortinet black logo

User Guide

Cookie Security

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:136656
Download PDF

Cookie Security

FortiWeb Cloud can protect against cookie poisoning and other cookie-based attacks. When Cookie Security module is added FortiWeb Cloud signs all cookies by default.

To create cookie security rules
  1. Go to SECURITY RULES > Cookie Security.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.

    Cookie Replay Protection

    Enable to select whether FortiWeb Cloud uses the IP address of a request to determine the owner of the cookie and protect against replay attacks.

    Set Max Cookie Age

    Enter the maximum age (in minutes) permitted for cookies that do not have an “Expires” or “Max-Age” attribute.

    To configure no expiry age for cookies, enter 0.

    Security Mode

    • NoneFortiWeb Cloud does not apply cookie tampering protection or encrypt cookie values.
    • Signed—Prevents tampering (cookie poisoning) by tracking the cookie value.
      When FortiWeb Cloud receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb Cloud uses to detect tampering with the cookie from the backend server response. If FortiWeb Cloud determines the cookie from the client has changed, it takes related action.
    • Encrypted—Encrypts cookie values the back-end web server sends to clients. Clients see only encrypted cookies. FortiWeb Cloud decrypts cookies submitted by clients before it sends them to the back-end server.

    Set Secure Cookie

    Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page.

    This function applies to the cookie from origin server. If you want to modify the cookie from browser, please refer to Secure flag for internal Cookie in Endpoints.

    Set HTTP Only Cookie

    Enable to add the "HTTP Only" flag to cookies, which prevents client-side scripts from accessing the cookie.

    This function applies to the cookie from origin server. If you want to modify the cookie from browser, please refer to HTTP Only flag for internal Cookie in Endpoints.

    Don't Block Until

    If Allow Suspicious Cookies is Custom, enter the date on which FortiWeb Cloud starts to take the specified action against suspicious cookies.

    Exempted Cookies

    If you want to specify cookies that are exempted from the cookie security policy, click to add cookie names.

    If you use wildcard in cookie name, please check the box beside the cookie name field.

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate a log message.

    Alert & Deny

    Block the request (or reset the connection) and generate a log message.

    Deny(no log)

    Block the request (or reset the connection) but do not generate log messages.

    Remove Cookie

    Accept the request, but remove the cookie from the datagram before it reaches the web server, and generate a log message.

  4. Click SAVE.

Select whether FortiWeb Cloud allows requests that contain cookies that it does not recognize or that are missing cookies.

In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives.

To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

  • NeverFortiWeb Cloud does not take the action specified against suspicious cookies.
  • AlwaysFortiWeb Cloud always takes the specified action against suspicious cookies.
  • CustomFortiWeb Cloud takes the specified action against suspicious cookies starting on the date specified by Don't Block Until.

Cookie Security

FortiWeb Cloud can protect against cookie poisoning and other cookie-based attacks. When Cookie Security module is added FortiWeb Cloud signs all cookies by default.

To create cookie security rules
  1. Go to SECURITY RULES > Cookie Security.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.

    Cookie Replay Protection

    Enable to select whether FortiWeb Cloud uses the IP address of a request to determine the owner of the cookie and protect against replay attacks.

    Set Max Cookie Age

    Enter the maximum age (in minutes) permitted for cookies that do not have an “Expires” or “Max-Age” attribute.

    To configure no expiry age for cookies, enter 0.

    Security Mode

    • NoneFortiWeb Cloud does not apply cookie tampering protection or encrypt cookie values.
    • Signed—Prevents tampering (cookie poisoning) by tracking the cookie value.
      When FortiWeb Cloud receives the first HTTP or HTTPS request from a client, it uses a cookie to track the session. When you select this option, the session-tracking cookie includes a hash value that FortiWeb Cloud uses to detect tampering with the cookie from the backend server response. If FortiWeb Cloud determines the cookie from the client has changed, it takes related action.
    • Encrypted—Encrypts cookie values the back-end web server sends to clients. Clients see only encrypted cookies. FortiWeb Cloud decrypts cookies submitted by clients before it sends them to the back-end server.

    Set Secure Cookie

    Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page.

    This function applies to the cookie from origin server. If you want to modify the cookie from browser, please refer to Secure flag for internal Cookie in Endpoints.

    Set HTTP Only Cookie

    Enable to add the "HTTP Only" flag to cookies, which prevents client-side scripts from accessing the cookie.

    This function applies to the cookie from origin server. If you want to modify the cookie from browser, please refer to HTTP Only flag for internal Cookie in Endpoints.

    Don't Block Until

    If Allow Suspicious Cookies is Custom, enter the date on which FortiWeb Cloud starts to take the specified action against suspicious cookies.

    Exempted Cookies

    If you want to specify cookies that are exempted from the cookie security policy, click to add cookie names.

    If you use wildcard in cookie name, please check the box beside the cookie name field.

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate a log message.

    Alert & Deny

    Block the request (or reset the connection) and generate a log message.

    Deny(no log)

    Block the request (or reset the connection) but do not generate log messages.

    Remove Cookie

    Accept the request, but remove the cookie from the datagram before it reaches the web server, and generate a log message.

  4. Click SAVE.

Select whether FortiWeb Cloud allows requests that contain cookies that it does not recognize or that are missing cookies.

In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives.

To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

  • NeverFortiWeb Cloud does not take the action specified against suspicious cookies.
  • AlwaysFortiWeb Cloud always takes the specified action against suspicious cookies.
  • CustomFortiWeb Cloud takes the specified action against suspicious cookies starting on the date specified by Don't Block Until.